From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 13:30:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD28216A4CE for ; Wed, 10 Dec 2003 13:30:07 -0800 (PST) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id C82A643D2C for ; Wed, 10 Dec 2003 13:30:02 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 33228 invoked by uid 1000); 10 Dec 2003 21:30:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Dec 2003 21:30:02 -0000 Date: Wed, 10 Dec 2003 13:30:02 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: security@freebsd.org In-Reply-To: <20031210202623.GC1458@nikkel.com> Message-ID: <20031210132049.D3696@walter> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <20031210202623.GC1458@nikkel.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 21:30:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > What's needed is one-time passwords for "basic" authentication in > > Apache. > > The problem with using s/key (or opie) together with http basic auth is > the repetive nature of http requests. The webserver would expect see > the basic authentication string with every single request. You would be > promtped for your next onetime password for every single gif or link on > the page requested. I don't know how practical that would be. Good point. You'd have to implement your own sessioning and authentication entirely within your app, which always sucks. An additional issue with http basic auth and an opie calculator is that opie is challenge based - you compute the response based on the iteration count and a salt string. So the user's browser is going to have to be convinced to show him the challenge so he can enter it into the calculator, but most browsers won't show you the html returned by the initial 401 request until _after_ the user has failed or bailed out of the authentication process. You could possibly coerce apache into dynamically inserting the challenge into the authentication "realm," but that probably precludes using a standard mod_auth_pam type of thing. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/15BaswXMWWtptckRAg/GAJ98SUI6OKPgzpkgPtprY1ZZcOQsHgCgnHTn Ie+hQDmdVGC/6umkttdYMV4= =3acd -----END PGP SIGNATURE-----